File deletion lab instructions and lab report template

This document includes both the lab instructions and empty boxes for you to embed your screenshots and answers to lab questions. Please use this document for your lab report.

Overview

The goal of this lab is to familiarize students with some issues related to file deletion.

Students need to understand that there are different designs for how data and metadata could be organized and managed on a disk to create a file system. Linux has been using what is called the extended file system (ext) for many years. This design has undergone some changes that have been called ext2, ext3, and now ext4. In DOS, Microsoft started out with what is called the file allocation table (FAT), which continued on with its early Windows products (i.e., Windows version 1, 2, 3, 95, 98 and ME). When Microsoft designed Windows NT1 they did a total redesign of the file system and called it the NT File System (NTFS), which has also undergone a few redesigns since it was first introduced around 1995.

In this lab you use what is called a virtual hard disk or a disk image, which is a file that is used to emulate a disk. The Windows OS uses the idea of “drive letters” to differentiate different places to store data, such as “C:” and “D:” and “H:”. Unix does not use such an abstraction. Instead, all data is accessed off some path from the root of the file system. When a disk is added, then the OS must be told where to “mount” it in the file system; sometimes this is configured and performed automatically, and sometimes it must be done manually. In this lab you will manually need to “mount” your virtual disks to a spot in the Labtainer VM home directory hierarchy.

The phrase “mounting a disk” is a leftover from older computing days when large things called disk packs had to be physically mounted in place. Today, the term “mounting a disk” usually means making the contents of a connected disk available to users as a file system.

NOTE: Due to the manner in which this lab creates the disk image that you will mount, this lab must be completed without rebooting the virtual machine. Pausing the machine is fine, but if it reboots, you will have to restart the lab with the “-r” option to get a fresh instance of the lab.

Lab Environment

This lab uses the Labtainer Linux-based virtual machine.

• Start the Labtainer VM. Once the VM is running, from the labtainer-student terminal window, start the lab using the command:

labtainer file-deletion

• Once the lab completes the startup process, one terminal window with for student@file-deletion will open for all the lab tasks.

• At the end of the lab tasks, you will return to the labtainer-student terminal to stop the lab.

Lab Tasks

1) EXT2 Virtual Disk Mounting

In this task you will mount a virtual disk.

• Use the ll command to display your home directory content. Notice the mnt directory, and use ll mnt/ to view the content of that directory.

Also notice the myfs.img file, which is a virtual EXT2 file system, and ntfs.img, which is a virtual NTFS file system. We will first work with the EXT2 file system.

Disks are mounted on “mount points”, which are directories. We will use the mnt directory as our mount point.

• You can mount your virtual disk by entering the following:

sudo mount -o loop myfs.img mnt

Your file system is now mounted under the mnt directory.

• Use the command ll mnt/ to display the size (in bytes) of the files under the directory mnt. The file size is displayed before the Month.

• Un-mount the disk by using the following command. This un-mounting is similar to removing a USB drive.

sudo umount mnt

2) Deleting a File on Unix

• Try to display the contents of the disk myfs.img using the cat command:

cat myfs.img

The output from the cat command may have been a lot of gibberish and junk. The terminal is not equipped to display arbitrary data; it only displays ASCII data well.

• Display the contents of myfs.img as raw data in hexadecimal notation, using the command:

hexdump -C myfs.img

The output of this command is in three columns: 1) the offset (i.e., location) in the disk image where the data is located, 2) the raw data (in hex), and 3) an ASCII representation of the same data (where possible). The * in the offset column replaces repeated data.

• If we are interested only in the ASCII data in the file, we can extract this using the strings command. Use the following command to display the ASCII data and the offset of that data in myfs.img:

strings -td myfs.img

• Re-mount your file system:

sudo mount -o loop myfs.img mnt

• Use the following command to delete file2:

rm mnt/file2

• Use the ls mnt command to verify that the deleted file is no longer present.
• Once again, un-mount your file system:

sudo umount mnt

• Again, display all the ASCII text in the “disk” by entering the following:

strings -td myfs.img

3) Undeleting a File on Unix

In this task you will attempt to undelete the file you deleted earlier. In Unix this can be a tricky and difficult task, reserved for knowledgeable system administrators. Even then, when attempting to delete a file there should not be anyone on the system creating new files, or the data may be lost permanently anyway. Later, we will undelete files using tools that know how to interpret the file system layout. These are especially useful when the file systems grow large and when the formats are complex. For this task, however, we will undelete files “manually” by looking at the raw bytes of the drive and without the assistance of any special file recovery tools.

• Refer to your previous screenshot for the strings command after the file was deleted. Find the offset to the content of file 2 (i.e., where “Second file created” is located). You will need this number in the next step.
• Use the dd command below to copy the data from the location on the disk to a new file (rfile2) that will hold the recovered data. Below, replace SKIPNUMBER with the offset you found above, and replace FILESIZE with the size of file2:

dd if=myfs.img bs=1 skip=SKIPNUMBER count=FILESIZE of=rfile2

This command pulled the data out of the virtual disk into another file, called rfile2. To fully restore the file, it may need to be put back into the file system, but for now we will leave it where it is.

• Display the contents of the file you just recovered:

cat rfile2

4) Securely Deleting a File on Unix

For some, it is comforting to know that it may be possible to undelete files. For others, it is frightening to know that something that was deleted may still be there. For the latter group, this task will show one way to securely delete a file on Ubuntu. You will be using a command called shred, which may not be installed on all Linux distributions; although, most operating systems give you some utility or operation that will allow you to securely delete files.

• Use the strings command to verify the existence of file3 and its data:

strings myfs.img

• Re-mount your file system:

sudo mount -o loop myfs.img mnt

• Use the following commands to view the files, securely delete file3, and then to confirm the deletion:

ls mnt

shred -uxz mnt/file3

ls mnt

• Once again, un-mount your file system:

sudo umount mnt

• Repeat the use of the strings command:

strings -td myfs.img

5) NTFS Virtual Disk

As mentioned in the Introduction section, NTFS is the file system used by the professional versions of Windows. Because of the way NTFS manages files, it is much easier to undelete them, as long as new files have neither overwritten the metadata nor the “deleted” data on the disk.

• Mount the virtual disk:

sudo mount -o loop ntfs.img mnt

• Use the command ll mnt/ to display the size (in bytes) of the files under the directory mnt. The file size is displayed before the Month.

• Delete file1 and securely delete file3, using the commands:

rm mnt/file1

shred -uxz mnt/file3

• Un-mount the “disk” by doing the following:

sudo umount mnt

• Verify that the data still exists on the virtual disk by entering the following command:

strings -td ntfs.img | grep file

• Use the ntfsundelete command to find information about deleted files, as shown below. Note that the inode number is the left-most number in the output.

ntfsundelete -p 100 ntfs.img

• Undelete file1 using the following command (replacing INODE with the number of the recoverable file):

ntfsundelete –undelete –inodes INODE –output rfile1 ntfs.img

• Use ll to list the contents of the current directory. You should see the deleted file. Once again, this utility pulls the file out of the file system.
• Use the cat command to display the content of rfile1.

6) Complete and get lab results file

After finishing the lab, go to the terminal window that was used to start the lab and type:

stoplab

When you stop the lab, the system will display a path to the zipped lab results on your Linux system. A link to the labtainer_xfer directory is on the VM desktop. A separate sub-directory with the lab’s name will be created here for each lab you do. The lab results file with the .lab extension will be in here.

Attach this lab results file as part of your lab submission on Blackboard, along with the completed lab report template.